Yahoo to encrypt webmail sessions by default starting January

Yahoo plans to make HTTPS connections standard for all users starting Jan. 8.

Yahoo will start encrypting the webmail sessions of its users in early 2014 by making HTTPS (Hypertext Transfer Protocol Secure) standard for all Yahoo Mail connections.

Security experts, privacy advocates and users have asked Yahoo for this feature for a long time. Other major webmail providers already offer it.

In November 2012, the Electronic Frontier Foundation with other privacy, security and human rights organizations, sent a letter to Yahoo CEO Marissa Mayer asking the company to add HTTPS support to its communication services, including email and instant messaging.

HTTPS, which combines the HTTP Web communications protocol with the Secure Sockets Layer (SSL) encryption protocol, is widely used to secure connections between Web users and websites, and prevents sensitive data from being intercepted and read by unauthorized parties while in transit.

Yahoo started rolling out a new Web interface for Yahoo Mail late last year that provided support for full-session HTTPS, but only as an option. In order to enable the feature, users can go in their email account settings and check the "Use SSL" box in the "Security" section.

"Starting January 8, 2014, we will make encrypted https connections standard for all Yahoo Mail users," Jeffrey Bonforte, Yahoo's senior vice president of communication products, said Monday in a blog post. "Our teams are working hard to make the necessary changes to default https connections on Yahoo Mail, and we look forward to providing this extra layer of security for all our users."

The move comes at a time when there is increased discussion about privacy and security online following revelations that the U.S. National Security Agency and the intelligence agencies of other countries are running extensive electronic surveillance programs.

Some of the NSA programs revealed by documents leaked by former NSA contractor Edward Snowden involve the upstream interception of Internet traffic as it passes through global networks, as well as data collection from online services providers including Yahoo, Microsoft, Google, Apple, Facebook, AOL and others.

This type of upstream data collection is something that HTTPS can potentially prevent, as long as the implementation is strong enough. The service provider might be later compelled to hand over the decrypted data at its end, but at least in that case the interception would be done with its knowledge.

In addition to preventing bulk data collection by government agencies, HTTPS can also prevent hacker attacks, like the theft of authentication cookies over insecure wireless networks or through cross-site scripting attacks.